Opened 6 years ago

Closed 5 years ago

Last modified 5 years ago

#5835 closed Bugs (wontfix)

cregex.cpp, fileiter.cpp, posix_api.cpp using unsafe sprintf

Reported by: noloader@… Owned by: asutton
Milestone: To Be Determined Component: graph
Version: Boost 1.47.0 Severity: Problem
Keywords: Cc: noloader@…


Folks performing a security audit on Boost will have to take a look at cregex.cpp, fileiter.cpp and posix.cpp since it is using unsafe function such as sprintf.

The same folks will have to fail Boost because its ignoring return values from sprintf (MAX_PATH is easy to overflow in practice, especially when the attacker controls the input).

cregex.cpp BuildFileList?:

char buf[MAX_PATH];

    (::sprintf_s)(buf, sizeof(buf), "%s%s%s", dstart.path(), directory_iterator::separator(), ptr);
    (std::sprintf)(buf, "%s%s%s", dstart.path(), directory_iterator::separator(), ptr);

Ditto for fileiter.cpp _fi_attributes:

unsigned _fi_attributes(const char* root, const char* name)
  char buf[MAX_PATH];
  if( ( (root[0] == *_fi_sep) || (root[0] == *_fi_sep_alt) ) && (root[1] == '\0') )
    (std::sprintf)(buf, "%s%s", root, name);
    (std::sprintf)(buf, "%s%s%s", root, _fi_sep, name);
    DIR* d = opendir(buf);
      return _fi_dir;
  return 0;

In general, I would expect an ostringstream to be a more appropriate choice for a c++ library (rather than sprintf and snprintf). At minimum, the original authors and/or Boost QA team should place comments in the code for assurance purposes.

I can't really comment on iohb.c since I'm not familiar with the Harwell-Boeing File format. However, I expect that an attacker *will* manipulate the header, and I don't trust NIST's use of unchecked sprintf, sscanf, and friends under adverse conditions and a hostile environment. For example, in readHB_header, the authors continue to parse even if sscanf encounters an error:

    if ( sscanf(line,"%i",&Totcrd) != 1) Totcrd = 0;
    if ( sscanf(line,"%*i%i",Ptrcrd) != 1) *Ptrcrd = 0;
    if ( sscanf(line,"%*i%*i%i",Indcrd) != 1) *Indcrd = 0;
    if ( sscanf(line,"%*i%*i%*i%i",Valcrd) != 1) *Valcrd = 0;
    if ( sscanf(line,"%*i%*i%*i%*i%i",Rhscrd) != 1) *Rhscrd = 0;

For iohb.c, I would reject the submission until the authors port it to c++ (there are too many little problems lurking in the C code). At minimum, don't distribute iohb.c until its known to be safe (place the honus on the authors who claim its ready for production).

Attachments (0)

Change History (5)

comment:1 Changed 6 years ago by Jeffrey Walton <noloader@…>

  • Cc noloader@… added
  • Component changed from None to regex
  • Owner set to johnmaddock

comment:2 Changed 6 years ago by johnmaddock

(In [74897]) Improve sprintf usage. Stop passing UDT's through (...) even in meta programs. Fixes #5958. Refs #5835.

comment:3 Changed 6 years ago by johnmaddock

  • Component changed from regex to graph
  • Owner changed from johnmaddock to asutton

Fixed in Boost.Regex, reassigning to the Graph lib.

comment:4 Changed 5 years ago by jewillco

  • Resolution set to wontfix
  • Status changed from new to closed

This code (iohb.[ch]) is in an example that is not even compiled by default, and the example (minimum_degree_ordering.cpp) never calls the functions in iohb.c that use sprintf. Thus, I see no reason to change anything unless there are problems in the Harwell-Boeing reader code.

comment:5 Changed 5 years ago by noloader@…

set to wontfix

+1 for the freetards

Provide broken code, waste a persons time who has to audit the broken code, and then claim its not even used. WTF?

Add Comment

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain asutton.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.